Let’s talk about encryption. Again.

WELCOME to Connected Rights, your fire in the hold of digital rights news and analysis.

RUSSIA IS PROVIDING A HORRIFYING/HILARIOUS CASE STUDY into the effects of trying to censor a popular service that doesn’t want to be censored.

After a court ordered the blocking of encrypted messaging app Telegram (for not being willing/able to share encryption keys with the feds), telecoms/censorship agency Roskomnadzor told ISPs to enact the ban. Then Telegram shifted its infrastructure to Amazon Web Services and Google Cloud, in order to bypass the block.

So, on Monday, Roskomnadzor started blocking AWS and Google Cloud IP addresses. At the last count, it had blocked 16 million of them, causing havoc among everyone else who uses the world’s most popular cloud platforms in Russia. Unsurprisingly, Roskomnadzor has been whacked with multiple DDoS attacks for its troubles.

Well, if you’re going to do it, do it properly. Except, as Telegram founder Pavel Durov crowed yesterday afternoon, Telegram was still up and running. “As the last day showed, in its war with progress, Russia’s supervisory authorities are ready to block millions of IP addresses of cloud hosting without regard to losses of extraneous projects,” he said (I used Google Translate there, obviously).

As one tweeter put it: “There are now more blocked IP addresses than Telegram users. Telegram is still working.”

SPEAKING OF ENCRYPTED MESSAGING AND FRUSTRATED GOVERNMENTS, the Australian government is insisting that it’s still going to produce legislation mandating backdoors in encrypted communications services. The legislation is reportedly in “the advanced stages of development”.

The legislation was supposed to appear in November last year, but has now been delayed twice. The opposition Labor party is sceptical that the legislation will be “workable”. Meanwhile, the Greens are pointing out that it has been “proven over and over again” that backdoors can’t be maintained for the use of authorities, without making the services vulnerable to others as well.

MEANWHILE, THE EU’S PRIVACY REGULATORS HAVE ISSUEDa statement about strong and efficient encryption. Spoiler: they like it. Indeed, they see it as “a necessity in order to guarantee the protection of individuals with regard to the confidentiality and integrity of their data which are the elementary underpinning of the digital economy.”

“Any obligation aiming at reducing the effectiveness of those techniques in order to allow law enforcement access to encrypted data could seriously harm the privacy of European citizens,” the Article 29 Working Party (soon to become the European Data Protection Board) said.

Oh, and hey Australia: “Backdoors and master keys deprive encryption of its utility and cannot be used in a secure manner… The mathematical foundation of cryptology does not provide the basis for a secure backdoor, and numerous examples in history have shown that master keys and backdoors cannot be kept secure, even by major law enforcement agencies or by companies specialised in key management.”

Perhaps one day it will no longer be necessary to keep retreading this ground. Perhaps.

GOOGLE IS INTRODUCING A “CONFIDENTIAL MODE” to Gmail. According to The Verge, this “lets Gmail users stop recipients from forwarding certain emails, or restricts the ability to copy, download, or print them”. It also introduces the ability to demand recipients enter a passcode in order to open emails.

Which is neat, and good for business users (Microsoft is doing the same in Outlook). But where’s end-to-end encryption for Gmail? It’s been almost four years since Google said it was coming, but last year the company handed over its research efforts to the open source community. And since then…?

TECH FIRMS WILL NEED TO HAND OVER EMAILS AND TEXTS to European terrorism investigators within as little as six hours of being ordered to do so, according to new proposals from the European Commission.

The proposal describes a new mechanism called a European Production Order, which will allow a judicial authority in one EU country to demand electronic evidence from a provider that’s set up in another member state. The six-hours thing is for real emergencies; generally the deadline will be 10 days. Right now, it takes up to 120 days for such requests to be fulfilled, under a European Investigation Order.

One key sentence in the proposal (full text here): “Data should be provided regardless of whether it is encrypted or not.”

The justification for the change appears to be that the internet helps criminals crime faster, which is an… interesting take on due process. Here’s justice commissioner Vera Jourová: “While law enforcement authorities still work with cumbersome methods, criminals use fast and cutting-edge technology to operate. We need to equip law enforcement authorities with 21st century methods to tackle crime, just as criminals use 21st century methods to commit crime.”

ISPs are unimpressed. Here’s trade body EuroISPA: “Challenges consist of the multitude of legal systems across the EU, as well as security issues and the feasibility of verification of requests from other member states. These are of significant concern for due process, legal clarity and liability for European ISPs, the majority being SMEs without their own legal departments.”

MORE THAN HALF OF ANDROID APPS AIMED AT KIDS potentially violate the US Children’s Online Privacy Protection Act (COPPA). The most popular violations (both evident in about 40% of apps surveyed by researchers) were the sharing of personal information without reasonable security measures, and “ignorance or disregard for contractual obligations aimed at protecting children’s privacy”. Meanwhile, 18% shared persistent identifiers for illegal targeted advertising, and 4.8% shared location or contact information without consent.

Bravo, Google, for the sterling job you’re doing in protecting the younger generation. (See also: allowing YouTube Kids to induct the wee ones into the whacky world of conspiracy theories.)

I’VE DESPERATELY TRIED TO AVOID TALKING ABOUT FACEBOOK in this week’s Connected Rights (it’s all been a bit much even for me), but sorry, this case deserves a mention. A right-wing user in Germany has won an interim injunction against Facebook to stop the social network from deleting his offensive comment on a news article, and from blocking him for posting it.

“Gabor B”‘s comment was not outright hate speech, at least to my eyes, but it was certainly nasty, implying that immigrants are unskilled and referring to the “Systemmedien”, a term that carries echoes of Nazi terminology. He’s retained a conservative lawyer called Joachim Steinhöfel, who’s on a crusade against the NetzDG, the German law that forces firms like Facebook to be quick and proactive about removing (usually right-wing) hate speech.

Steinhöfel tells me he has more cases of this sort in the works, so this is a situation that will likely develop pretty soon.

OH ALRIGHT, SINCE WE’RE ON THE SUBJECT, Facebook is also rolling out its new, supposedly-GDPR compliant privacy settings. It seems the interface is very much designed to steer people towards giving Facebook as many permissions as possible, though. The T&Cs consent page looks particularly dodgy – I wonder what EU privacy regulators will make of that.

Another noteworthy element of those changes is that Facebook is bringing back facial recognition to the EU – with users’ consent, of course. It stopped using the technology in the bloc back in 2012, after being hammered by German regulators over the lack of consent.

If you’d like me to write articles for you about digital rights issues, speak at your event or provide privacy advice for your business, drop me an email at david@dmeyer.eu.

THE UK’S GROTESQUE WINDRUSH SCANDAL HAS ACQUIRED A DATA PROTECTION element. According to the Home Office, the Border Agency decided in 2010 to destroy the disembarkation cards of immigrants back in the 50s and 60s, “to ensure that personal data… should not be kept for longer than necessary. Keeping these records would have represented a potential breach of these principles”.

Which is one reason why people who immigrated back then subsequently found that their names were “not in the system” and have been unable to prove their status. The Home Office seems to have an odd interpretation of “necessary”.

CHINA’S DYSTOPIAN SURVEILLANCE STATE hit the headlines again last week, after a guy who was wanted for “economic crimes” was nabbed at a pop concert. Facial recognition tech picked him out from a crowd of 60,000 people. “If I knew, I wouldn’t have gone,” he reportedly said after being arrested.

SHOULD ROBOTS BE GRANTED “PERSONHOOD”? This is a live debate in Europe right now, and my former colleagues at Politico are on the case.

About the author

I’m David Meyer, a tech journalist with more than a decade’s experience writing about technology. I’ve covered many topics in that time, though I’m most interested in the policy decisions and technological breakthroughs that will shape our world. You can find me on Twitter as @superglaze and on Facebook as @davidmeyerwrites.